First OS X Ransomware Hits Apple Macs

Apple’s perception of enhanced security has taken another hit with the very first OS X ransomware attack having taken place through the BitTorrent program Transmission. Ransomware is malicious software that will lock the user out of their computer’s files. The “ransom” is the payment that the hackers demand for unlocking the computer. Typically, this payment can be anywhere from $500 to $1,500 dollars.

The OS X ransomware in question is a program called the KeRanger virus. The Palo Alto Networks Research Center called KeRanger “the first fully functional ransomware seen on the OS X platform.” OS X is the main operating system used by Apple’s Mac computers. In the past, hackers have largely ignored Apple platforms, but there has been a steady increase in attacks commensurate with Apple’s gains in market share.

Claud Xiao and Jin Chen from the Palo Alto Networks Research Center found the KeRanger OS X ransomware in a version of the Transmission BitTorrent program. This is worrying as it is a program that is being heavily used to stream the latest Star Wars film, the popularity of which means that it might have spread very widely indeed. Those computers that have the malicious code will be locked up within about three days and be presented with a demand for payment to unlock the computer. Security experts advise against paying the OS X ransomware demand for a variety of reasons. There is the obvious fact that payment will likely encourage further attacks as the hackers see that their scam was successful. There is also the security problem associated with giving card or account details to criminal hackers. But most important is the fact that such payment simply isn’t required. Reverting the computer to an earlier restore point should clear up the problem.

It appears that one of the reasons the KeRanger OS X Ransomware has been so successful is that it was reportedly hidden in a readme.txt file. Security expert Jonathon Zdziarski described the practice as “genius,” pointing out that readme files were least likely to attract attention. A readme.txt file usually contains instructions for operation or installation, or other text relating to the program being installed, and is most usually ignored by seasoned computer users.

It is currently impossible to determine the extent of the OS X ransomware attack. There is no way of knowing how many computers were hit during the period between the OS X ransomware’s creation and its subsequent detection. Apple has now flagged the program and prevented it from being installed on any more computers. While this guards against future infection, those who have already been infected have a few days’ wait before they find out.

The very first OS X ransomware attack signals the beginning of the end for the complacency that many Apple users and devotees have displayed with regard to computer security. Some analysts say that the increasing mass appeal of Apple platforms has led to their being considered as more attractive targets for hackers. In the past, it was seen as being far too much work for far too small a pool of users. But with Apple’s market share continuing to expand, it looks like those days are over.

Affected users should look at the “How to Protect Yourself” section of the Palo Alto Networks Research Center blog post on the Keranger OS X ransomware. Anyone who downloaded Transmission after 11:00 a.m. PST, March 4, 2016 and before 7:00 p.m. PST, March 5, 2016 could be affected. Similarly, anyone downloading the program from third party sites around or before these dates could also be affected.

[Photo by Andrew Burton/Getty Images]